CVE-2024-25637

October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. This issue has been patched in version 3.5.15.

Published: Jun 26, 2024
Updated: May 4, 2025
CVE: CVE-2024-25637
GHSA: GHSA-rjw8-v7rr-r563
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
october / system	3.2	3.5.15

https://github.com/octobercms/october/security/advisories/GHSA-rjw8-v7rr-r563

Vulnerability Database

CVE-2024-25637